Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-3048

"Local" authentication fails when LDAP is used for ManagementRealm

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 8.1.0.CR1, 8.1.0.Final
    • 8.0.0.Final
    • Security
    • None
    • Hide

      1. Configure the ManagementRealm to use LDAP authentication.
      2. Also enable local authentication for the same realm.
      3. Attempt to invoke a command via jboss-cli, locally.
      4. Note that you are prompted for a username and password (should use local auth, requiring no prompt.)
      5. Remove LDAP authentication from ManagementRealm.
      6. Attempt to invoke the same command again via jboss-cli, locally.
      7. Note that the command is carried out without a username and password prompt.

      Show
      1. Configure the ManagementRealm to use LDAP authentication. 2. Also enable local authentication for the same realm. 3. Attempt to invoke a command via jboss-cli, locally. 4. Note that you are prompted for a username and password (should use local auth, requiring no prompt.) 5. Remove LDAP authentication from ManagementRealm. 6. Attempt to invoke the same command again via jboss-cli, locally. 7. Note that the command is carried out without a username and password prompt.
    • Documentation (Ref Guide, User Guide, etc.), Compatibility/Configuration

    Description

      When LDAP is used for authentication in ManagementRealm, "local" authentication, which is enabled in configuration for the realm, appears to stop working.

      I have configured my ManagementRealm to use LDAP for authentication of remote clients. However, I also need to allow local authentication without a username and password, for when jboss-cli is invoked from the command line on the server. This is needed in order for the wildfly-init-debian.sh script to shut down the server. I have configured the ManagementRealm as follows:

      <security-realm name="ManagementRealm">
      <authentication>
      <local default-user="$local" />
      <ldap connection="..." base-dn="ou=accounts,dc=..." recursive="false">
      ...
      </ldap>
      </authentication>
      <authorization map-groups-to-roles="false">
      <ldap connection="...">
      ...
      </ldap>
      </authorization>
      </security-realm>

      I left out most of the LDAP configuration because I don't think it is important for this issue. LDAP authentication works fine for remote clients. In fact, it works fine for local clients as well--when I invoke jboss-cli with LDAP authentication enabled, it prompts for a username and password; if I enter a valid combination from the LDAP directory, jboss-cli connects successfully and executes its command.

      The problem is that I need it to NOT prompt for a username and password when jboss-cli is invoked locally. Which, I believe, is how things are supposed to work when "local" authentication is also enabled; it just doesn't work that way when LDAP is enabled for the same realm.

      If I comment out the <ldap .../> element in <authentication> for the realm, local authentication starts working again. I can invoke jboss-cli locally and the command is carried out without a username and password prompt. Re-enable LDAP, with no other configuration changes, and again it flips back to requiring a username and password.

      I have tried replacing "$local" in the @default-user element of the <local> element with a valid name from the LDAP directory, both as a simple username and as a full DN, and jboss-cli still prompts for a username and password.

      The modification date on the [tmp/auth] directory changes when I run jboss-cli with LDAP in place and get the username/password prompt, so it appears that the client is putting a token in there to try to use local authentication. The server just never picks it up.

      The documentation specifically mentions that <local/> should work along with <ldap/> here:
      https://docs.jboss.org/author/display/WFLY8/Security+Realms

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. WFCORE-3823 The legacy standalone.xml config does not set skip-group-loading="true"

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. WFLY-10356 The legacy standalone-load-balancer config does not set skip-group-loading="true"

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Task - Represents a small unit of work that is not end-user facing. WFCORE-308 Switch default of skip-group-loading to 'true' for local auth.

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mattj6502 Matt Jensen (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: